Getting started with the SOAR Platform

Use the Getting Started Guide to learn about the high-level capabilities of the IBM Security® QRadar® SOAR Platform, including documentation and other IBM® resources to help get you started.

IBM Security QRadar SOAR orchestrates and automates the people, processes, and technology that are associated with incident response. IBM Security QRadar SOAR streamlines incident and privacy response management to provide an automatic, fast, and flexible way for organizations to react to events and incidents. It is available for cloud or on-premises environments based on your business needs,

You can integrate IBM Security QRadar SOAR into your environment so that it automatically shares data with other tools. You can even automate actions that are run by the other tools, such as a search of impacted systems when a malware incident is recorded.

Your organization can customize IBM Security QRadar SOAR to meet the following basic use cases.

  • Monitoring and Escalation. IBM Security QRadar SOAR enables incidents, including relevant data, to be entered by users or systems that are integrated with IBM Security QRadar SOAR. You can then monitor the status from the start to the resolution of the incident. Data can include artifacts such as IP addresses, file hashes, URLs, user names, and system names. All data is associated with an incident.
  • Identification and Enrichment. Automatic threat intelligence lookups, workflows, and menu-driven actions can deliver valuable context and reduce time to identify scope and impact, which enables a rapid, decisive response. Trigger sandbox evaluation and build rules to act on the results. Search logs and endpoints and make decisions based on the data. Include CMDB and directory information to help analysts make accurate assessment of severity and impact. Pivot on these critical data elements to dynamically adjust the way that your team responds. Several cyberthreat sources are integrated into the product, and you can integrate your own threat services.
  • Containment, Response, and Recovery. Based on trigger conditions, or based on manual actions, the system can send notifications or initiate external activities to contain and adjust your security posture as a part of your response playbook.
  • Communication and Coordination. Includes use of custom actions, functions, and the REST API to integrate bidirectionally with your environment, including ticketing and service management, smart notifications, communication platforms, and other business applications. By integrating beyond the SOC, users can coordinate a fast and effective incident resolution.

If you are new to IBM Security QRadar SOAR, the Getting Started Guide provides a high-level overview of the capabilities, describes the types of personas or roles, and lists the relevant documentation and IBM communities for each role.